selinux: Add support for avc_acquire_netlink_fd()
Requires libselinux 2.0.79 or newer. Without this, libselinux will check for policy updates on the netlink socket on basically every policy lookup. Statistically speaking, they never happen, and the check translates to at least one more syscall on basically every operation. Instead, take control of the fd from the library, and check it in WakeupHandler if it polls readable.
This commit is contained in:
parent
be6dc9023b
commit
3992dd38ca
|
@ -1886,6 +1886,22 @@ SProcSELinuxDispatch(ClientPtr client)
|
|||
}
|
||||
}
|
||||
|
||||
#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
|
||||
static int netlink_fd;
|
||||
|
||||
static void
|
||||
SELinuxBlockHandler(void *data, struct timeval **tv, void *read_mask)
|
||||
{
|
||||
}
|
||||
|
||||
static void
|
||||
SELinuxWakeupHandler(void *data, int err, void *read_mask)
|
||||
{
|
||||
if (FD_ISSET(netlink_fd, (fd_set *)read_mask))
|
||||
avc_netlink_check_nb();
|
||||
}
|
||||
#endif
|
||||
|
||||
|
||||
/*
|
||||
* Extension Setup / Teardown
|
||||
|
@ -1916,6 +1932,12 @@ SELinuxResetProc(ExtensionEntry *extEntry)
|
|||
label_hnd = NULL;
|
||||
|
||||
audit_close(audit_fd);
|
||||
#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
|
||||
avc_netlink_release_fd();
|
||||
RemoveBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
|
||||
NULL);
|
||||
RemoveGeneralSocket(netlink_fd);
|
||||
#endif
|
||||
|
||||
avc_destroy();
|
||||
avc_active = 0;
|
||||
|
@ -2012,6 +2034,13 @@ SELinuxExtensionInit(INITARGS)
|
|||
if (atom_client_ctx == BAD_RESOURCE)
|
||||
FatalError("SELinux: Failed to create atom\n");
|
||||
|
||||
#ifdef HAVE_AVC_NETLINK_ACQUIRE_FD
|
||||
netlink_fd = avc_netlink_acquire_fd();
|
||||
AddGeneralSocket(netlink_fd);
|
||||
RegisterBlockAndWakeupHandlers(SELinuxBlockHandler, SELinuxWakeupHandler,
|
||||
NULL);
|
||||
#endif
|
||||
|
||||
/* Register callbacks */
|
||||
ret &= dixRegisterPrivateInitFunc(subjectKey, SELinuxSubjectInit, NULL);
|
||||
ret &= dixRegisterPrivateDeleteFunc(subjectKey, SELinuxSubjectFree, NULL);
|
||||
|
|
|
@ -940,6 +940,10 @@ if test "x$XSELINUX" = xyes; then
|
|||
AC_CHECK_LIB(selinux, avc_init, [], AC_MSG_ERROR([SELinux library not found]))
|
||||
AC_CHECK_HEADERS([libaudit.h], [], AC_MSG_ERROR([SELinux extension requires audit system headers]))
|
||||
AC_CHECK_LIB(audit, audit_open, [], AC_MSG_ERROR([SELinux extension requires audit system library]))
|
||||
AC_CHECK_DECL(avc_netlink_acquire_fd,
|
||||
[AC_DEFINE(HAVE_AVC_NETLINK_ACQUIRE_FD, 1, "Have avc_netlink_acquire_fd")],
|
||||
[],
|
||||
[#include <selinux/avc.h>])
|
||||
AC_DEFINE(XSELINUX, 1, [Build SELinux extension])
|
||||
SELINUX_LIB="-lselinux -laudit"
|
||||
fi
|
||||
|
|
|
@ -425,4 +425,6 @@
|
|||
#include "dix-config-apple-verbatim.h"
|
||||
#endif
|
||||
|
||||
#undef HAVE_AVC_NETLINK_ACQUIRE_FD
|
||||
|
||||
#endif /* _DIX_CONFIG_H_ */
|
||||
|
|
Loading…
Reference in New Issue
Block a user